Update all dependencies

[github-actions]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
@angular-devkit/build-angular	devDependencies	patch	22.0.0 → 22.0.1
@angular-devkit/core	devDependencies	patch	22.0.0 → 22.0.1
@angular/animations (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/build	devDependencies	patch	22.0.0 → 22.0.1
@angular/cdk	dependencies	patch	22.0.0 → 22.0.1
@angular/cli	devDependencies	patch	22.0.0 → 22.0.1
@angular/common (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/compiler (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/compiler-cli (source)	devDependencies	patch	22.0.0 → 22.0.1
@angular/core (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/forms (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/material	dependencies	patch	22.0.0 → 22.0.1
@angular/platform-browser (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/platform-browser-dynamic (source)	dependencies	patch	22.0.0 → 22.0.1
@angular/router (source)	dependencies	patch	22.0.0 → 22.0.1
@grafana/faro-web-sdk (source)	dependencies	patch	2.7.0 → 2.7.1
@mucsi96/angular-material-theme (source)	dependencies	minor	1.9.0 → 1.10.0
@types/node (source)	devDependencies	patch	25.9.2 → 25.9.3
org.springframework.ai:spring-ai-bom	import	patch	2.0.0-RC1 → 2.0.0
org.springframework.boot:spring-boot-starter-parent (source)	parent	minor	4.0.6 → 4.1.0

---

Release Notes

angular/angular-cli (@​angular-devkit/build-angular)

v22.0.1

Compare Source

@​angular/cli

Commit	Type	Description
b54e9a549	fix	do not sort migrations of the same version alphabetically
d33311612	fix	fallback to local package.json for schematic detection on first run
918102a93	fix	isolate temporary package installation from parent pnpm workspace
b048b5f4a	fix	remove forceAuth and unscoped credential parsing
277934035	fix	validate registry option is a valid URL in ng add
4510dae02	perf	optimize update schematic registry query counts by fetching package metadata lazily

@​schematics/angular

Commit	Type	Description
c80012294	fix	fix browserMode option mapping in refactor-jasmine-vitest
a9b6bd904	fix	safely comment out multiline statements in refactor-jasmine-vitest
12199df00	fix	use null objects and callbacks in karma-to-vitest migration

@​angular/build

Commit	Type	Description
89d1be979	fix	allow disabling Vitest isolation from builder
d45b84be9	fix	exclude JSON imports from Vite dependency optimization
e3cab4ddd	fix	prevent concurrent stylesheet bundling esbuild context leaks
bd413b0eb	fix	restrict application builder output paths to output directory

angular/angular (@​angular/animations)

v22.0.1

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
  (cherry picked from commit 8446e46)

common

Commit	Type	Description
c4b5fa3c92	fix	escape CSS string-terminating characters in escapeCssUrl
dfff57ede9	fix	Limits date format string length
3c2892c8df	fix	prevent prototype pollution in formatDateTime
1d87c49f6e	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
1ee224ca30	fix	disallow i18n event attributes
a56f1cdf8f	fix	more robust logic to check if regex can be optimized
5946c18275	fix	sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8	fix	sanitize two-way properties

compiler-cli

Commit	Type	Description
3d9ca2f173	fix	bind switch exhaustive check expressions

core

Commit	Type	Description
669146b0e7	fix	disable WebMCP during SSR
562a566ead	fix	Handle synchronous errors in PendingTasks.run function
fa546f382d	fix	harden TransferState restoration against DOM clobbering
29fdb98684	fix	prevent dangling prevConsumer reference from leaking destroyed views (#​68681)
cdcea80327	fix	require WebMCP tool descriptions
4289c4c840	fix	update comment for Default change detection
3dd433b39a	fix	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3	fix	validate lowercase SVG animation attribute names

forms

Commit	Type	Description
11836a670a	fix	delay mcp reading the form model by a tick
85d2d100e3	fix	harden FormGroup control lookups against prototype shadowing
e51ad374ea	fix	remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6	fix	set additionalProperties: false on generated WebMCP form

http

Commit	Type	Description
ffb06c0514	fix	ensure query parameters are inserted before URL fragments
2dd65d21e6	fix	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c	fix	preserve empty referrer option in HttpRequest
167bd4c162	fix	Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit	Type	Description
43a0e28729	fix	prevent external template inlay hints from appearing in TS files

platform-server

Commit	Type	Description
ed48ca7f51	fix	harden platform location origin validation during SSR
1881ede3a7	refactor	deprecate ServerXhr

router

Commit	Type	Description
43edc8410f	fix	use native URL object for navigation boundary and comparison

service-worker

Commit	Type	Description
cf97b1f828	fix	Strips sensitive headers on cross-origin redirects

angular/components (@​angular/cdk)

v22.0.1

Compare Source

aria

Commit	Type	Description
7581b0592	fix	combobox: avoid error for synthetic events (#​33360)
1c4706155	fix	combobox: prevent re-dispatching keyboard event on control target change (#​33362)
96e9ce10c	fix	tree: recursive textDirection getter (#​33337)

cdk

Commit	Type	Description
629aea403	fix	a11y: avoid prototype conflicts in id generator (#​33356)
49aeb676c	fix	clipboard: avoid infinite attempt loop (#​33366)

material

Commit	Type	Description
d7a8cb963	fix	dialog: ignore clicks on aria-disabled close buttons (#​33373)
bde3c7621	fix	timepicker: do not allow intervals less than a second (#​33354)

youtube-player

Commit	Type	Description
d75a22d69	fix	avoid errors with clobbered variables
fe0a96ce6	fix	validate ID before attaching them to placeholder

grafana/faro-web-sdk (@​grafana/faro-web-sdk)

v2.7.1

Compare Source

Bug Fixes

• core: use crypto.getRandomValues in genShortID (#​2108) (7f54972)
• deps: regenerate yarn.lock to drop stale semver descriptor (#​2107) (9ada1a0)
• instrumentation: incomplete regular expression for hostnames (#​2096) (fc43fb5)
• react: import unknownString from declared @​grafana/faro-web-sdk (#​2116) (28e1efd)
• web-sdk: cap stack-frame line length to bound regex backtracking (#​2109) (b484c31)

mucsi96/angular-material-theme (@​mucsi96/angular-material-theme)

v1.10.0

Compare Source

spring-projects/spring-ai (org.springframework.ai:spring-ai-bom)

v2.0.0: Spring AI 2.0.0 GA

Compare Source

For upgrading from 1.1.x to 2.0.0, please refer to the upgrade notes here.

For the detailed reference documentation on 2.0.0, please refer here

⭐ New Features

• Update Google GenAI models #​6406
• Use only Jackson 2 in OpenAiChatModel #​6392
• Make org.springframework.ai.image.observation null-marked #​6388
• Polish Prompt #​6387
• Preserve OpenAI tool call additional properties #​6365

🐞 Bug Fixes

• Filter unsupported tool messages in CassandraChatMemoryRepository #​6400
• Filter unsupported tool messages in MongoChatMemoryRepository #​6399
• Filter unsupported tool messages in JdbcChatMemoryRepository #​6398
• Remove streamToolCallResponses from advisor builders #​6391
• Add missing promptCacheKey parameter in OpenAiChatOptions #​6380

📔 Documentation

• Update reference docs to reflect 2.0 API changes #​6405
• Add more guides #​6401
• Introduce CLAUDE.md and AGENTS.md #​6376
• Consolidate upgrade notes for 2.0.0 #​6333

🔨 Dependency Upgrades

• Upgrade to MCP SDK 2.0.0 #​6385
• Upgrade to Spring Boot 4.1.0 #​6329

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ericbottard, @​guanxuc, @​ilayaperumalg, @​sdeleuze, @​sdudzin, @​tzolov, and @​ultramancode

v2.0.0-RC2: 2.0.0-RC2

Compare Source

⭐ New Features

• Make Anthropic HTTP client configurable #​6354
• Restore compatibility with Spring Framework < 7.0.4 #​6334
• Make OpenAI HTTP Client configurable #​6294

🐞 Bug Fixes

• Fix BedrockProxyChatModel model option handling #​6370
• Fix spring-ai-autoconfigure-model-bedrock-ai dependencies #​6368
• 2.0.0-RC1 regression: additional dependency is needed for Bedrock SDK #​6367
• Always auto-register ToolCallingAdvisor to support runtime-injected tools #​6349
• Restore options replacing instead of merging in ChatModel #​6336
• Replay reasoning_content in OpenAI assistant history #​6296
• Fix OllamaChatModel dropping thinking field in multi-turn conversation history #​6062
• Binding failure for spring.ai.ollama.chat.think #​4853

📔 Documentation

• Document native structured output limitations for Ollama and OpenAI #​6363
• Rewrite CONTRIBUTING.adoc and convert it to CONTRIBUTING.md #​6352
• Fix tool callback example in user-controlled tool execution docs #​6324

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ThomasVitale, @​ericbottard, @​guanxuc, @​ilayaperumalg, @​sdeleuze, @​sdudzin, @​suryateja-g13, @​tzolov, and @​uc4w6c

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)

v4.1.0

Compare Source

Full release notes for Spring Boot 4.1 are available on the wiki.

⭐ New Features

• Add public constructor to InvalidConfigurationPropertyValueException that accepts a cause #​50211
• Reduce memory consumption when repeatedly calling WritableJson.toByteArray #​49428

🐞 Bug Fixes

• MailSender auto-configuration does not enable hostname verification #​50747
• Artemis auto-configuration uses a predictable default location for the embedded broker's data #​50745
• Embedded LDAP SSL should not be enabled when its bundle is empty #​50700
• InetAddressFilter.externalAddresses does not exclude special purpose addresses from RFC 6890 #​50668
• NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #​50645
• SSL should not be enabled when a SSL bundle is overridden to an empty string #​50635
• Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #​50633
• Configuration property metadata includes incorrect class references #​50632
• Docker Compose support does not restore thread interrupt flag when catching InterruptedException #​50618
• RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #​50612
• NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #​50610
• SpringJtaPlatform should have been deprecated since 4.1.0-M3 #​50592
• Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #​50510
• ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #​50417
• Created StackTracePrinter instances have no access to the Environment #​50414
• MappingsEndpoint reports the context's own ID as parentId when a parent exists #​50412
• Buildpack module does not validate long-to-int casts #​50410
• Gradle gRPC support fails if protobuf-java dependency is used instead of protobuf-java-util #​50405
• GraphQL WebSocket support does not configure allowed origins #​50394
• Spring Boot Loader Does Not Support RSA and EC Signed Jars #​50298
• Meter registries are not removed from the global registry when the context is closed #​50287
• DataSourceBuilder cannot derive a DataSource from a lazy connection proxy #​50271
• Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #​50266
• Bean definitions can be added with an initializer before setAllowBeanDefinitionOverriding is called #​50264
• EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #​50261
• Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #​50258
• ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #​50234
• NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #​50228
• Missing dependency management for spring-boot-web-server-test #​50224
• Spring Batch support for MongoDB modules are not included in dependency management #​50223
• Apply HTML escaping to timestamp attribute in Whitelabel error page #​50216
• GrpcServerHealthScheduler is not started in servlet environments #​50209
• Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #​50204

📔 Documentation

• Fix reference to Gradle documentation for module replacement #​50647
• Document SSL reloading with Let's Encrypt #​50630
• Remove the use of Optional from Data Neo4j repository examples #​50622
• Fix typos in documentation #​50620
• Clarify dependency requirement for Bean Validation support #​50614
• Document Java 25 requirement for AOT cache #​50485
• Add links for Java CAS Client Spring Boot Starter #​50285
• Document known testcontainers lifecycle issues #​50220
• Document adding multiple connectors for Jetty #​50218
• Polish InvalidConfigurationPropertyValueException constructor javadoc #​50214
• Fix typo in Spring Security OAuth2 client registration documentation #​50199

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.2.6 #​50652
• Upgrade to Byte Buddy 1.18.10 #​50693
• Upgrade to Caffeine 3.2.4 #​50338
• Upgrade to Cassandra Driver 4.19.3 #​50654
• Upgrade to Couchbase Client 3.11.3 #​50576
• Upgrade to Elasticsearch Client 9.4.2 #​50655
• Upgrade to Glassfish JAXB 4.0.9 #​50656
• Upgrade to Groovy 5.0.6 #​50340
• Upgrade to Hibernate 7.4.1.Final #​50732
• Upgrade to Infinispan 16.1.4 #​50342
• Upgrade to Jackson 2 Bom 2.21.4 #​50657
• Upgrade to Jackson Bom 3.1.4 #​50658
• Upgrade to Jakarta Json Bind 3.0.2 #​50659
• Upgrade to Jakarta XML Bind 4.0.5 #​50345
• Upgrade to Jaxen 2.0.6 #​50710
• Upgrade to Jetty 12.1.10 #​50661
• Upgrade to Jetty Reactive HTTPClient 4.1.5 #​50711
• Upgrade to jOOQ 3.21.5 #​50712
• Upgrade to Kafka 4.2.1 #​50662
• Upgrade to Kotlin 2.3.21 #​50347
• Upgrade to Lettuce 7.5.2.RELEASE #​50581
• Upgrade to Liquibase 5.0.3 #​50582
• Upgrade to Logback 1.5.34 #​50663
• Upgrade to Maven Enforcer Plugin 3.6.3 #​50583
• Upgrade to Maven Failsafe Plugin 3.5.6 #​50664
• Upgrade to Maven Surefire Plugin 3.5.6 #​50665
• Upgrade to Micrometer 1.17.0 #​50559
• Upgrade to Micrometer Tracing 1.7.0 #​50560
• Upgrade to MongoDB 5.8.0 #​50608
• Upgrade to Native Build Tools Plugin 1.1.1 #​50585
• Upgrade to Neo4j Java Driver 6.1.0 #​50586
• Upgrade to Netty 4.2.15.Final #​50666
• Upgrade to OpenTelemetry 1.62.0 #​50588
• Upgrade to Oracle Database 23.26.2.0.0 #​50667
• Upgrade to Postgresql 42.7.11 #​50349
• Upgrade to Protobuf Java 4.34.2 #​50590
• Upgrade to Protobuf Maven Plugin 5.1.4 #​50589
• Upgrade to Pulsar 4.2.2 #​50713
• Upgrade to R2DBC MySQL 1.4.2 #​50351
• Upgrade to Reactor Bom 2025.0.6 #​50561
• Upgrade to SAAJ Impl 3.0.6 #​50714
• Upgrade to SLF4J 2.0.18 #​50591
• Upgrade to Spring AMQP 4.1.0 #​50562
• Upgrade to Spring Batch 6.0.4 #​50563
• Upgrade to Spring Data Bom 2026.0.0 #​50564
• Upgrade to Spring Framework 7.0.8 #​50565
• Upgrade to Spring GraphQL 2.0.4 #​50741
• Upgrade to Spring gRPC 1.1.0 #​50566
• Upgrade to Spring HATEOAS 3.1.1 #​50567
• Upgrade to Spring Integration 7.1.0 #​50568
• Upgrade to Spring Kafka 4.1.0 #​50569
• Upgrade to Spring LDAP 4.1.0 #​50570
• Upgrade to Spring Pulsar 2.0.6 #​50571
• Upgrade to Spring RESTDocs 4.0.1 #​50572
• Upgrade to Spring Security 7.1.0 #​50573
• Upgrade to Spring Session 4.1.0 #​50574
• Upgrade to Spring WS 5.0.2 #​50575
• Upgrade to SQLite JDBC 3.53.2.0 #​50715
• Upgrade to Tomcat 11.0.22 #​50354

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Abdlatif-nabgha, @​DragonFSKY, @​Kapil-chn7, @​Kimgyuilli, @​SJvaca30, @​SebTardif, @​ares333, @​codingkiddo, @​dlwldnjs1009, @​eddumelendez, @​henriquejsza, @​igormukhin, @​johnnypwong, @​kwondh5217, @​leestana01, @​mheath, @​mmoayyed, @​msridhar, @​ngocnhan-tran1996, @​nosan, @​quaff, @​scordio, @​vinhhieu21, @​vpavic, @​won-seoop, and @​zxuhan

v4.0.7

Compare Source

🐞 Bug Fixes

• MailSender auto-configuration does not enable hostname verification #​50746
• Artemis auto-configuration uses a predictable default location for the embedded broker's data #​50744
• NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #​50640
• SSL should not be enabled when a SSL bundle is overridden to an empty string #​50634
• Docker Compose support does not restore thread interrupt flag when catching InterruptedException #​50617
• RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #​50611
• NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #​50609
• Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #​50602
• Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #​50509
• ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #​50416
• Created StackTracePrinter instances have no access to the Environment #​50413
• MappingsEndpoint reports the context's own ID as parentId when a parent exists #​50411
• Buildpack module does not validate long-to-int casts #​50409
• GraphQL WebSocket support does not configure allowed origins #​50393
• Configuration property metadata includes incorrect class references #​50375
• Spring Boot Loader Does Not Support RSA and EC Signed Jars #​50297
• Meter registries are not removed from the global registry when the context is closed #​50286
• Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #​50265
• EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #​50260
• Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #​50257
• ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #​50233
• NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #​50227
• Apply HTML escaping to timestamp attribute in Whitelabel error page #​50215
• Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #​50201

📔 Documentation

• Fix reference to Gradle documentation for module replacement #​50646
• Document SSL reloading with Let's Encrypt #​50629
• Remove the use of Optional from Data Neo4j reposito

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.